An admin-level member of the Lockbit ransomware gang has been sentenced to four years in prison and ordered to pay nearly $1 million in restitutions to his victims.

Last week, Mikhael Vasiliev faced down a Canadian court for crimes committed in affiliation with Lockbit – the international ransomware gang often described as the world’s most harmful cyber crime outfit.

Vasiliev, a Canadian-Russian national living in Ontario, Canada, was sentenced to nearly four years behind bars after pleading guilty to eight counts of cyber extortion, mischief and weapons charges.

According to CTV News, Justice Michelle Fuerst labelled the 34-year-old a “cyber-terrorist” while delivering the sentence, stating his conduct was “planned, deliberate, and coldly calculated”.

During the hearing, Vasiliev admitted he was a ransomware hacker who had on multiple occasions bargained with sensitive data in exchange for ransom payments from victims, including three separate businesses from Saskatchewan, Montreal, and Newfoundland.

The court heard these businesses, between 2021 and 2022, were effectively paralysed by Vasiliev as he encrypted their systems and financial data in attempts to extort them for hundreds of thousands of dollars.

Fuerst said Vasiliev’s criminal actions were “far from victimless crimes”, adding the Lockbit member was “motivated by his own greed” and further ordering he pay back more than $968,000 ($CA860,000) in restitution to his Canadian victims.

Caught red-handed

Vasiliev’s infect-and-extort attack method lines up with most Lockbit-related incidents – such as 2023’s service-stopping attack at UK mail delivery service Royal Mail – though it is unclear how much of a role he has played in the gang’s attacks outside of Canada.

The court heard Vasiliev was first arrested around 18 months ago after police performing a house search found the 34-year-old “sitting in the garage at a table with a laptop computer” and browsing a Lockbit dark web page.

According to court documents, a special agent of the US Federal Bureau of Investigation (FBI) – which has been investigating Lockbit since March 2020 – said the dark web page was likely a control panel which only Lockbit developers or affiliates would have access to.

During the same house search, investigators also found a seed-phrase credential used for accessing a Bitcoin wallet.

Later analysis of payments to this wallet revealed it had received a portion of a known Lockbit ransom payout.

Furthermore, an earlier house search saw Canadian law enforcement uncover a file named “TARGETLIST” on one of Vasiliev’s devices (containing a list of what appeared to be prospective and historical victims), a text file which appeared to include instructions for deploying Lockbit’s flagship strain of ransomware, and screenshots of a message exchange with dark web user “LockBitSupp”.

The chat with LockBitSupp – likely shorthand for LockBitSupport – explicitly detailed the status of stolen data stored on a Lockbit server and further discussed a confirmed Lockbit victim located in Malaysia.

Vasiliev’s lawyer voiced approval for the outcome of the trial, noting his client only recently became a cyber criminal while at home during the pandemic.

"Mikhail Vasiliev took responsibility for his actions, and that played out in today's courtroom with the sentence that was imposed," said Vasiliev's lawyer Louis Strezos.

Vasiliev has consented to extradition to the US where he faces further charges for conspiracy to intentionally damage protected computers and to transmit ransom demands.

Lockbit on last legs?

In Australia, Lockbit made up 18 per cent of reported Australian ransomware incidents between 1 April 2022 and 31 March 2023, with US justice officials reporting the group has taken “tens of millions of dollars” in ransom payments from at least 1,000 cyber attacks across the globe.

Earlier this year, the Australian Federal Police alongside law enforcement agencies from nine other countries banded together to disrupt the operations of Lockbit, but only one week after 34 of its servers were taken down, a Lockbit blog page resurfaced on the dark web alongside a boastful message that the group was continuing business-as-usual.

The ransom group re-established a range of backup blogs and has gone on to share stolen data from victims as recently as two days ago, but experts suspect Lockbit is simply downplaying its damages to save face among its affiliates who buy into the gang’s ransomware-as-a-service model to deploy ransomware for a cut of any extorted profits.

The UK’s National Crime Agency insists LockBit remains “completely compromised”, with the international crackdown effort revealing a “huge amount of intelligence” about the gang for further disruptive action.

As part of the initiative, two further suspects were arrested in Poland and Ukraine – one of whom has been charged for infecting victims with Lockbit ransomware – and five indictments and three arrest warrants were issued.